From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web12.5913.1581925869663852726 for ; Sun, 16 Feb 2020 23:51:09 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2020 23:51:07 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,451,1574150400"; d="scan'208";a="258186531" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga004.fm.intel.com with ESMTP; 16 Feb 2020 23:51:09 -0800 Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 16 Feb 2020 23:51:08 -0800 Received: from shsmsx105.ccr.corp.intel.com (10.239.4.158) by FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 16 Feb 2020 23:51:08 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by SHSMSX105.ccr.corp.intel.com ([169.254.11.138]) with mapi id 14.03.0439.000; Mon, 17 Feb 2020 15:51:06 +0800 From: "Wang, Jian J" To: Laszlo Ersek , "devel@edk2.groups.io" CC: "Yao, Jiewen" , "Zhang, Chao B" Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler Thread-Topic: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler Thread-Index: AQHV5Wa/bz32+K5iwU2LHvt+8eGu2agfAwQw Date: Mon, 17 Feb 2020 07:51:06 +0000 Message-ID: References: <20200214072745.1570-1-jian.j.wang@intel.com> <9c8b47c7-765a-6064-49c3-a0a9578ccba6@redhat.com> In-Reply-To: <9c8b47c7-765a-6064-49c3-a0a9578ccba6@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZmZmN2Y2OTEtMjRlYy00NmYzLWFmOWItNzc0MWE0MDJmYTg3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoibDBmNTk2TFZzWG9IdEl1ZUQ5T2pVbU5ESUlsbURDTmw3cXFIV3pCVldCa0Z5bWphSkxpYzdqV1N6Wmd0bUF0eCJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Laszlo, > -----Original Message----- > From: Laszlo Ersek > Sent: Monday, February 17, 2020 3:49 PM > To: devel@edk2.groups.io; Wang, Jian J > Cc: Yao, Jiewen ; Zhang, Chao B > > Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in > DxeImageVerificationHandler >=20 > On 02/14/20 08:27, Wang, Jian J wrote: > >> v2 changes: > >> - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 1= 0) > >> - Update result handling to all calling to IsCertHashFoundInDatabas= e > >> to be consistent (patch 6) > >> - Fix commit message and title length issue caught by PatchCheck to= ol > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 > > Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass- > blacklist-check-via-signature-v2 > > > > Cc: Jiewen Yao > > Cc: Chao Zhang > > > > Jian J Wang (9): > > SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber=3D= =3D0 > > per DBX(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in > > IsAllowedByDb(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching > > dbx(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching > > code(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: Differentiate error/search resul= t > > (1)(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: tighten default > > result(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: Differentiate error/search resul= t > > (2)(CVE-2019-14575) > > SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase > > name(CVE-2019-14575) > > > > Laszlo Ersek (1): > > SecurityPkg/DxeImageVerificationLib: plug Data leak in > > IsForbiddenByDbx()(CVE-2019-14575) > > > > .../DxeImageVerificationLib.c | 291 ++++++++++++------ > > 1 file changed, 198 insertions(+), 93 deletions(-) > > >=20 > Please put a space character in all the subject lines before the > "(CVE-2019-14575)" part. >=20 Ok, it'll be added before pushing. Regards, Jian > Thanks > Laszlo